| Groups | Blog | Home |
iis security : folder access lan and web
for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default
permissions, security etc looks like i have to do this differently have a folder for images, right now directly under wwwroot, using for <img tags for pics, etc on web pages like ebay, and others, works fine then i went to share it on the local lan so it will would be easy to copy /paste files there after enabling sharing on the network or sharing on the web, and trying to access files via http, it became pass word protected for http access. i would like it to be password protected for lan access only, actually so i can map drive access to it and allow anon access via http so not sure how to or best way to do it bob
[quoted text, click to view]
On Nov 13, 3:58 pm, "bbxrider" <bxtra...@job1data.com> wrote: > for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default > permissions, security etc > looks like i have to do this differently > have a folder for images, right now directly under wwwroot, using for <img > tags for pics, etc on web pages like ebay, and others, works fine > then i went to share it on the local lan so it will would be easy to copy > /paste files there > after enabling sharing on the network or sharing on the web, and trying to > access files via http, it became pass word protected for http access. > i would like it to be password protected for lan access only, actually so i > can map drive access to it and allow anon access via http > so not sure how to or best way to do it > bob You probably accidentally enabled "sharing on the web", which is not what you want. Get rid of that. All you need to do from your default configuration is add a UNC File Share to the wwwroot\images folder. I assume you allow SMB traffic on Intranet and not Internet. In this configuration, HTTP can get to everything externally that you expose via IIS. You can use SMB to access the UNC file share internally to do what you want. For certain, whatever you enabled is NOT the right thing and should be reverted. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang //
thanks for the reply
if you can bear with me, i would just like to clear up the terminology when you say 'add UNC file share' that means simply allowing sharing for that folder, (vs not sharing) and i can further tweak that by user permissions, eg, i could say create a user account that has read+write+delete permissions only, without full control, execute, etc so that when mapping a drive to a pc on the lan and there is the prompt for username password, by establishing the map with user account with limited access from above that 'map' has only those limited permissions available to it? yes??? and reading up on smb, it looks like smb is enabled on ethernet by 'client for ms networks' and 'file and printer sharing for ms networks' and i never thought much about those since they always seem to be there, so yes smb is on the lan. it seems odd that smb would be allowed via internet, i'm not sure what that would be about, it sounds dangerous and it sounds somewhat like vpn's i set up to allow remote access to lans as needed for certain apps bob [quoted text, click to view] "David Wang" <w3.4you@gmail.com> wrote in message news:1195013927.789671.136260@i38g2000prf.googlegroups.com... > On Nov 13, 3:58 pm, "bbxrider" <bxtra...@job1data.com> wrote: >> for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default >> permissions, security etc >> looks like i have to do this differently >> have a folder for images, right now directly under wwwroot, using for >> <img >> tags for pics, etc on web pages like ebay, and others, works fine >> then i went to share it on the local lan so it will would be easy to copy >> /paste files there >> after enabling sharing on the network or sharing on the web, and trying >> to >> access files via http, it became pass word protected for http access. >> i would like it to be password protected for lan access only, actually so >> i >> can map drive access to it and allow anon access via http >> so not sure how to or best way to do it >> bob > > > You probably accidentally enabled "sharing on the web", which is not > what you want. Get rid of that. > > All you need to do from your default configuration is add a UNC File > Share to the wwwroot\images folder. I assume you allow SMB traffic on > Intranet and not Internet. > > In this configuration, HTTP can get to everything externally that you > expose via IIS. You can use SMB to access the UNC file share > internally to do what you want. > > For certain, whatever you enabled is NOT the right thing and should be > reverted. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // >
I don't use the UI to do these things so I really don't know what you
are describing. It sounds like you have the right idea, though there are many details which can affect whether you succeed or not and whether it is secure. But, that is always the case -- user configuration completely affects functionality and security. I can only say that you do NOT want to enable any sort of "Web" Sharing (which I think you can find in the Explorer Properties page under a tab) because that enables WebDAV, which is what causes the password dialog for http access. You want to leave everything back to the original configuration when files were readable with anonymous access. Instead, you want to enable "UNC Sharing" (which I think you can find in the Explorer right-click Context menu prior to the Properties page), which is where you can configure UNC shares which map to your physical folder. If you have NTFS, there are now TWO sets of ACLs that you can configure. One set exists on the UNC share itself. The other set exists on the files exposed by the UNC share. Your EFFECTIVE access of this network share is the restrictive AND of both those ACLs. In other words, if you set UNC share to only allow User1 Read access and the NTFS ACLs on files shared via UNC only allows User2 Read access, you will find access denied when you try to access this UNC share as either User1 or User2 -- because while User1 can access the UNC share, it has no rights to access the files that are shared, while USer2 can't even access the UNC share even though it can read the files in it. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Nov 14, 5:53 pm, "bbxrider" <bxtra...@job1data.com> wrote:
> thanks for the reply > if you can bear with me, i would just like to clear up the terminology > when you say 'add UNC file share' that means simply allowing sharing for > that folder, (vs not sharing) and i can further tweak that by > user permissions, eg, i could say create a user account that has > read+write+delete permissions only, without full control, execute, etc > so that when mapping a drive to a pc on the lan and there is the prompt for > username password, by establishing the map with user > account with limited access from above that 'map' has only those limited > permissions available to it? > yes??? > and reading up on smb, it looks like smb is enabled on ethernet by 'client > for ms networks' and 'file and printer sharing for ms networks' > and i never thought much about those since they always seem to be there, so > yes smb is on the lan. > it seems odd that smb would be allowed via internet, i'm not sure what that > would be about, it sounds dangerous and > it sounds somewhat like vpn's i set up to allow remote access to lans as > needed for certain apps > bob > > "David Wang" <w3.4...@gmail.com> wrote in message > > news:1195013927.789671.136260@i38g2000prf.googlegroups.com... > > > > > On Nov 13, 3:58 pm, "bbxrider" <bxtra...@job1data.com> wrote: > >> for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default > >> permissions, security etc > >> looks like i have to do this differently > >> have a folder for images, right now directly under wwwroot, using for > >> <img > >> tags for pics, etc on web pages like ebay, and others, works fine > >> then i went to share it on the local lan so it will would be easy to copy > >> /paste files there > >> after enabling sharing on the network or sharing on the web, and trying > >> to > >> access files via http, it became pass word protected for http access. > >> i would like it to be password protected for lan access only, actually so > >> i > >> can map drive access to it and allow anon access via http > >> so not sure how to or best way to do it > >> bob > > > You probably accidentally enabled "sharing on the web", which is not > > what you want. Get rid of that. > > > All you need to do from your default configuration is add a UNC File > > Share to the wwwroot\images folder. I assume you allow SMB traffic on > > Intranet and not Internet. > > > In this configuration, HTTP can get to everything externally that you > > expose via IIS. You can use SMB to access the UNC file share > > internally to do what you want. > > > For certain, whatever you enabled is NOT the right thing and should be > > reverted. > > > //David > >http://w3-4u.blogspot.com > >http://blogs.msdn.com/David.Wang > > //- Hide quoted text - > > - Show quoted text -
thanks very much for your thorough and thoughtful reply, that helps a lot
just one last thing, if your not using the UI i presume that means you can do anything in UI from the command line and therefore scripts. all that is documented somewhere? thanks again bob [quoted text, click to view] "David Wang" <w3.4you@gmail.com> wrote in message news:5f3a8be6-cc6c-4449-b4b1-f6af1e200131@d27g2000prf.googlegroups.com... >I don't use the UI to do these things so I really don't know what you > are describing. > > It sounds like you have the right idea, though there are many details > which can affect whether you succeed or not and whether it is secure. > But, that is always the case -- user configuration completely affects > functionality and security. > > I can only say that you do NOT want to enable any sort of "Web" > Sharing (which I think you can find in the Explorer Properties page > under a tab) because that enables WebDAV, which is what causes the > password dialog for http access. You want to leave everything back to > the original configuration when files were readable with anonymous > access. > > Instead, you want to enable "UNC Sharing" (which I think you can find > in the Explorer right-click Context menu prior to the Properties > page), which is where you can configure UNC shares which map to your > physical folder. > > If you have NTFS, there are now TWO sets of ACLs that you can > configure. One set exists on the UNC share itself. The other set > exists on the files exposed by the UNC share. Your EFFECTIVE access of > this network share is the restrictive AND of both those ACLs. > > In other words, if you set UNC share to only allow User1 Read access > and the NTFS ACLs on files shared via UNC only allows User2 Read > access, you will find access denied when you try to access this UNC > share as either User1 or User2 -- because while User1 can access the > UNC share, it has no rights to access the files that are shared, while > USer2 can't even access the UNC share even though it can read the > files in it. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > On Nov 14, 5:53 pm, "bbxrider" <bxtra...@job1data.com> wrote: >> thanks for the reply >> if you can bear with me, i would just like to clear up the terminology >> when you say 'add UNC file share' that means simply allowing sharing for >> that folder, (vs not sharing) and i can further tweak that by >> user permissions, eg, i could say create a user account that has >> read+write+delete permissions only, without full control, execute, etc >> so that when mapping a drive to a pc on the lan and there is the prompt >> for >> username password, by establishing the map with user >> account with limited access from above that 'map' has only those limited >> permissions available to it? >> yes??? >> and reading up on smb, it looks like smb is enabled on ethernet by >> 'client >> for ms networks' and 'file and printer sharing for ms networks' >> and i never thought much about those since they always seem to be there, >> so >> yes smb is on the lan. >> it seems odd that smb would be allowed via internet, i'm not sure what >> that >> would be about, it sounds dangerous and >> it sounds somewhat like vpn's i set up to allow remote access to lans as >> needed for certain apps >> bob >> >> "David Wang" <w3.4...@gmail.com> wrote in message >> >> news:1195013927.789671.136260@i38g2000prf.googlegroups.com... >> >> >> >> > On Nov 13, 3:58 pm, "bbxrider" <bxtra...@job1data.com> wrote: >> >> for sbs 2003, so far default iis setup, eg, inetpub/wwwroot, default >> >> permissions, security etc >> >> looks like i have to do this differently >> >> have a folder for images, right now directly under wwwroot, using for >> >> <img >> >> tags for pics, etc on web pages like ebay, and others, works fine >> >> then i went to share it on the local lan so it will would be easy to >> >> copy >> >> /paste files there >> >> after enabling sharing on the network or sharing on the web, and >> >> trying >> >> to >> >> access files via http, it became pass word protected for http access. >> >> i would like it to be password protected for lan access only, actually >> >> so >> >> i >> >> can map drive access to it and allow anon access via http >> >> so not sure how to or best way to do it >> >> bob >> >> > You probably accidentally enabled "sharing on the web", which is not >> > what you want. Get rid of that. >> >> > All you need to do from your default configuration is add a UNC File >> > Share to the wwwroot\images folder. I assume you allow SMB traffic on >> > Intranet and not Internet. >> >> > In this configuration, HTTP can get to everything externally that you >> > expose via IIS. You can use SMB to access the UNC file share >> > internally to do what you want. >> >> > For certain, whatever you enabled is NOT the right thing and should be >> > reverted. >> >> > //David >> >http://w3-4u.blogspot.com >> >http://blogs.msdn.com/David.Wang >> > //- Hide quoted text - >> >> - Show quoted text - >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |